What is the easiest way in Maven pom.xml to upgrade all usages of log4j2 to 2.15.0, including dependencies using log4j2? See CVE-2021-44228
Updates:
- 2022/01/04:
Log4J 2.17.1 contains a fix for CVE-2021-44832
- 2021/12/22:
Spring Boot 2.5.8 and 2.6.2 haven been released and provide dependency management for logback 1.2.9 and Log4J 2.17.0.
- 2.17.0 fixes CVE-2021-45105
- 2.12.2 released (2021/12/14)
- 2.16.0 fixes also CVE-2021-45046
OP:
spring-boot "by default" is NOT AFFECTED by CVE-2021-44228(log4shell).
Though versions [2 - 2.6.1] (any -starter) depend on log4j-api and slf4j-to-log4j,
Slf4j says:
If you are using log4j-over-slf4j.jar in conjunction with the SLF4J API, you are safe unless the underlying implementation is log4j 2.x.
To be sure,
-
in maven inspect the output of:
mvn dependency:tree -Dincludes=*log4j* -
in gradle:
gradle -q dependencyInsight --dependency log4j
Having spring-boot-starter-log4j2 on board
We are definitely affected (with spring-boot > 1)!
To (fix via) update, the easiest is probably:
-
maven:
<properties> ... <log4j2.version>2.17.1</log4j2.version><!-- as of 2021/12/28 --> </properties>..in the pom.
-
gradle:
ext['log4j2.version'] = '2.17.1'.. in build.gradle, or:
log4j2.version=2.17.1.. in gradle.properties.
...build, test, release, deploy.
Links:
- log4j2-vulnerability-and-spring-boot
- slf4j-log4shell
- CVE-2021-44228
- CVE-2021-45046
- CVE-2021-45105
Now it's recommended to use
<log4j2.version>2.16.0</log4j2.version>